Those watching the evolving landscape of cyber insurance coverage were buzzing in May when Columbia Casualty Company, a CNA Financial Corp. unit, filed a declaratory judgment action against its insured, Cottage Health System seeking: (1) reimbursement of defense and settlement payments CNA made to Cottage stemming from a class action lawsuit in California state court and (2) a declaration that CNA does not have to defend or indemnify Cottage in a related regulatory proceeding.  Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV 15-03432 DDP (AGRx) (filed May 7, 2015).

As a brief background, a putative class action lawsuit was filed on January 28, 2014 alleging Cottage and its IT vendor, inSync, failed to prevent over 30,000 patient records from being publicly disclosed on the internet. The lawsuit alleged Cottage and inSync violated the California Confidentiality of Medical Information Act for their negligence in the data breach.  The Orange County Superior Court approved a $4.125 million settlement fund in December 2014, ending the class action.  CNA agreed to pay the settlement under a full reservation of rights.

CNA had sold to Cottage a NetProtect360 claims-made policy providing coverage from October 1, 2013 through October 1, 2014. In its complaint, CNA acknowledged that the NetProtect360 provides coverage for Privacy Injury Claims and Privacy Regulation Proceedings, but alleged that the claims at issue were not covered by the policy. Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV 15-03432 DDP (AGRx), Complaint  ¶24 (filed May 7, 2015).

Essentially, CNA argued it was not obligated to provide coverage for defense costs or the settlement amount because Cottage failed to “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance ...” Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV 15-03432 DDP (AGRx), Complaint  ¶40 (filed May 7, 2015). This language is the heart of the “Failure to Follow Minimum Required Practices” exclusion in the NetProtect360 Policy.

Based on the allegations in the complaint, the stage appeared to be set for another coverage ruling involving a cyber-insurance policy in federal court. However, the NetProtect360 Policy also included the following mandatory ADR Provision: “all disputes or differences between the Insured and the Insurer which may arise under or in connection with this policy, whether arising before or after termination of this policy, including any determination of the amount of damages or claim expenses, shall be submitted to the alternative dispute resolution (“ADR”) process set forth in this Section.”

Counsel for Cottage filed a motion to dismiss the complaint based on this provision, arguing “CNA has not met a critical condition precedent to suit – compliance with CNA’s mandatory [ADR] requirements in CNA’s insurance policy issued to Cottage.” Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV 15-03432 DDP (AGRx), Motion to Dismiss, 1 (filed June 18, 2015).

U.S. District Judge Dean Pregerson granted Cottage’s motion to dismiss without prejudice citing this provision. Judge Pregerson explained that the ADR Provision “controls the timing of suits arising out of the policy and requires that the ADR process take place before a lawsuit is initiated.” Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV 15-03432 DDP (AGRx), Order Granting Motion to Dismiss, 2 (July 17, 2015). CNA failed to exhaust all of the non-judicial remedies contained in the insurance policy, and Judge Pregerson ruled this failure to exhaust was clear from the face of the complaint.Id. at 3. Subsequently, Judge Pregerson granted Cottage’s Motion to Dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6).

Did CNA fail to review or understand the terms of its own policy before it filed suit? The case docket and related filings do not shed any light on that point.  Either way, policyholders are well-served to engage competent coverage counsel to review all aspects of their policy when a data breach occurs, including applicable alternative dispute resolution provisions.